The accelerated rate of digital transformation we have seen this past year presents both challenges and endless opportunities for individuals, organizations, businesses, and governments around the world. Cybersecurity is the underpinning of helping protect these opportunities. By examining the influences that are shaping the cyber landscape, and hearing from security experts, industry thought leaders, our customers, and partners—we help strengthen how Microsoft can protect these opportunities.
This month we wrapped season three of Afternoon Cyber Tea with Ann Johnson where Sandra Joyce, a threat intelligence expert joined me for the concluding episode to talk about election security and protecting ourselves against misinformation. Our discussion was incredibly illuminating, and it is a perfect example of the ground we continue to cover in these thoughtful conversations.
Each episode has surfaced perspectives on how our collective approach to cybersecurity ties directly to some of society’s most pressing issues, including the need for more diverse voices in the industry, the impact of a global health emergency, and the urgent need to reframe how we think about security.
The impact of a pandemic on global operations
James Turner, an industry analyst who works to support chief information security officers (CISOs) and strengthen the resilience of the economies for Australia and New Zealand shared his insights in this season’s first episode. He reminded us of that cybersecurity is everyone’s business, using the banking industry to emphasize collaboration between organizations on matters of security, even if those organizations are competitors. “The security operating centers at large banks are on speed dial with each other all the time because the attack against Company A hits Company B the next day.”
Even during a global pandemic, which James has seen as a tremendous catalyst for information-sharing amid budget cuts and workforce impact, he says simply reaching out to peers remains critical to understanding and preventing threats.
For Microsoft’s Chief Information Security Officer, Bret Arsenault, the pandemic has also reinforced the importance of planning and testing emergency scenarios to combat bad actors who attempt to exploit human vulnerabilities and new realities of life and work online.
“We’ve seen a really big increase in ransomware and a lot of activity against Remote Desktop Protocol because so many people are remoting in. When you see broad usage, you will see broad bad actor campaigns against those things.”—Microsoft’s Chief Information Security Officer, Bret Arsenault, Microsoft
So as companies advance their digital transformation, the best way to enable a productive workforce is to secure it with a solid strategy to mitigate opportunism. And while a little digital empathy goes a long way, getting employees to think responsibly about their own security can help remote workforces avoid risk, too.
Reframing cybersecurity as a business imperative
The human side of cybersecurity remains one of the trickiest but most critical areas to tackle in the industry. Many guests said it’s integral to how they advise organizations on threat prevention and mitigation.
Jules Okafor, CEO and founder of RevolutionCyber, built her entire company on the premise of transforming institutional cyber mindset to drive behavior change among employees after seeing too many organizations focused on selling security products instead of solving problems.
“That’s not a cyber mindset. It’s more about how do you surround people with cybersecurity in a way that helps them understand it will make them do their jobs better? Cybersecurity has to be better at aligning with the way people think.”—Jules Okafor, CEO and founder, RevolutionCyber
And I think all of my guests would agree cybersecurity should be prioritized throughout all levels and departments of an organization. Some companies are innovating how they do just that.
“Honestly, some of the most successful cybersecurity internal departments I’ve seen have reported out of risk or finance, not technology.”—Tarah Wheeler, Security Researcher and Fulbright Scholar
Defining cybersecurity as one of the pillars of a business Tarah says, demonstrates that it is critical to your success and more than just an afterthought.
This prioritization reflects a level of understanding that Sandra, my most recent guest, said has become paramount in today’s threat landscape.
As the head of Mandiant Intelligence at FireEye, Sandra discourages a prevention-only mindset. Instead, she advises organizations to assume attacks will happen and to conduct threat profiles that help them strategize how to mitigate the damage when breaches occur.
“If you can understand where you sit in the ecosystem, you can prioritize more and, at the very least, get more efficient” she says. “Don’t just look at the initial intrusion. Don’t let the first day of an attack be the day you determine how to manage it.”
But these steps are not limited to organizations. Theresa Payton, CEO of Fortalice Solutions, and author of Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth, also offered individuals advice on how to guard against the influence of misinformation campaigns. Our conversation touched on the personal data collected by our devices, too, and what we trade for convenience and insights about the patterns of our lives.
“That ubiquitous nature of technology in our lives right now really does have an implication on both privacy but also the risk-versus-reward tradeoff when that data could be really helpful,” she said.
While AI-enabled voice assistants, intelligent appliances, and more can benefit users—think, for example, of discovering an underlying health condition revealed by data collected by your smartwatch—Theresa cautioned against the innumerable unknowns about how that data could be used. And she called on organizations and governing bodies to build security into design and guardrails that prevent helpful technology from hurting us.
The pressing need for more diverse voices in cybersecurity
I am grateful for the chance to talk with guests of unique backgrounds and experiences to hear what inspires them and how they are shaking up the white, male-dominated cybersecurity industry. It became clear that promoting diverse voices goes beyond tapping into a cultural moment—it’s about strengthening the entire industry.
Camille Stewart, head of security policy and election integrity for Android and Google Play, may have put it best when she said, “Racism is inherently a cybersecurity issue because people are at the core of how security controls are adopted and how technology is used. If we do not address issues of systemic racism, the processes and institutions that we are building security into are inherently vulnerable.”
In other words, diversity is threat mitigation, in and of itself.
That is why Camille’s collaboration with Lauren Zabierek, executive director of the Cyber Project at Harvard Kennedy School’s Belfer Center for Science and International Affairs is so compelling. Together, they launched the #ShareTheMicInCyber campaign to amplify diverse, expert voices in cybersecurity and share insights to help organizations identify blind spots.
It is an important reminder that the cybersecurity industry is a community and that our ability to protect against threats is only as strong as our ability to identify them—together.
This is something I have so valued this season. The diversity of expertise, experiences, and backgrounds reflected in these episodes are, on a grander scale, helping to shape and improve our collective understanding of cybersecurity. I hope you will find useful takeaways from these leaders who are at the fore of securing and strengthening our industry.
To learn more about Microsoft Security solutions visit our website. To learn more about CISO topics and solutions, watch the Microsoft CISO Spotlight Series with our host Theresa Payton. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.